I've just noticed since update of my sensor and MC to S235, that there are two new signatures 50010 WORM_SOBER and 50011 WORM_MYTOB. Are these related to the ICS OpSig signatures 50001, 50002 as there doesn't appear to be any info on them? Can I disable them if not using ICS?
Signature 50000.0, 50000.1, and 50000.2 should be left defaulted in your setup...which is disabled.
They are used by the Cisco Incident Control Server (CICS) system to apply what is called an OpACL. An OpACL is a coarse-grain filter on ICMP, UDP, or TCP (see the 3 subsigs, one per protocol) packets. It is used by the Outbreak Prevention service to filter traffic on ports being used by a worm for propagation, communication, etc.... They will be tuned by the CICS when it recieves notification of an outbreak. This service is an extra feature that you can purchase; it is otherwise disabled and has no effect on the sensor. If you had the service and an outbreak was declared, the system would be triggered to tune the appropriate 50000 sub signature to block traffic on the propgation channels while a fine-grained, higher fidelity signature (an OpSig) was developed and automatically deployed to your sensor. At that time, the coarse-grained OpACL would be disabled. The purpose here being an extremely fast (minutes) response while a more time consuming (hours), better response is developed.
Now, 50002, since the question always gets asked anyway: This was a signatures that Trend requested to go out with their first updates (V1.0). This was for customers who run ICS so they can test their setups. It is very similar to the eicar virus test signature.
50010, 50011, Those are a "by-product" of ICS... basically, we (the signature team) will roll the virus updates into a later sigupdate. They are virus specific, you can leave them enabled, there's really no harm.
However, thanks for bringing this up to our attention... we'll look at linking the signatures in an upcoming sigupdate.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...